To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel

Description: Supplement

The guidance attached to this bulletin continues to apply to federal savings associations.

In October 2005, the Federal Financial Institutions Examination Council agencies1 issued guidance entitled Authentication in an Internet Banking Environment. Since the issuance of the guidance, Internet-based fraud incidents have increased, particularly with respect to commercial2 accounts and the use of automated payment mechanisms (e.g., wire transfers and automated clearinghouse payments). The agencies are issuing the attached supplement to the guidance to reinforce the guidance’s risk management framework and to update their expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.

It is essential that national banks review their current controls against the principles outlined in the guidance and supplement and, if necessary, develop and implement appropriate action plans to strengthen and enhance their controls. National banks should perform periodic risk assessments considering new and evolving threats to online accounts and have effective controls to limit and mitigate the elevated risks that are generally present with transactions of retail/consumer and business/commercial accounts. These controls must be tailored to, and appropriate for, each bank’s operations and threat environment. Examiners will continue to assess the adequacy of banks’ controls, including any remediation plans, as part of their ongoing supervision and the enhanced expectations outlined in the supplement, beginning in January 2012.

You may direct questions or comments regarding this guidance to your supervisory office or to the Bank Information Technology Division at (202) 874-4740.

1Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.

2 For the purposes of this guidance these accounts generally include business, nonprofit, and governmental accounts.